When Phishing Cuts Communications

Phishing has made it inadvisable for institutions like banks and financial sites to use email to communicate with customers. Doing so would just confuse them more and raise the likelihood they would be fooled by a phish. But what about ordinary institutions like schools and colleges?

The Worcester Telegram & Gazette reported earlier this week (payment required) that officials at the local college, Assumption, “will no longer send e-mail to alumni until it can avoid a repetition of a computer-system invasion Friday in which scammers obtained the e-mail addresses of alumni, parents and employees”.

It’s not quite clear how the scammers got hold of the mailing list. But once they did they appeared to have used the list to send out a Citibank phishing email, with the college’s domain name somewhere in the header. It’s not clear how many people fell for the scam.

The problem here is that an institution like a college is much more likely to use email to communicate with alumni, students and staff. Indeed, that was how Thomas E. Ryan, Assumption’s vice president of institutional advancement, warned alumni, parents and employees about the scam.

You can imagine the confusion: First they get an email that seems to be from Citibank (or the college) warning of a “large number of identity theft attempts” on Citibank customers and requiring them to “confirm your banking details.” Then they get an email from the college warning of an email scam. Now, the college says, it won’t use email to communicate with alumni: “Until the cause is determined and fail-proof virus and scam protections are in place, no alumni e-mails will be sent from the college,” Ryan was quoted as saying. The reality, though, is that there is no fail-proof protection and institutions like Assumption may find they have to use something other than email to communicate with their alumni or whatever. That raises troubling questions about how institutions, companies and bureaucracies communicate, even internally.

Phear Of Phishing Doesn’t Just Hit The Bankers

Beware The Fear. The blizzard of coverage about phishing (usually involving some awful pun) has done a lot to raise awareness about the problem, but is it enough?

A survey by Insight Express for Symantec of 300 people (no URL available yet, sorry) shows that while three quarters of folk are aware of spyware only a quarter of them have heard of phishing. This cloud of ignorance creates confusion and fear: 44.2 percent of respondents thought they had visited a fraudulent Web site but were not sure. 19.3 percent said they had definitely visited a fraudulent Web site. A little over half are somewhat concerned about online fraud, while 42 percent are ‘very concerned’. In other words, nearly everyone is worried.

This fear is already having an impact. Three quarters of folk will now only purchase purchase products through secure sites. That’s encouraging — and not bad for business — but the following figures are: nearly half will not now provide confidential data over the Internet while nearly a third won’t use the Internet for online banking. About 15% said they don’t trust the Internet.

This fear and distrust is not going to go away. More than half of respondents felt they knew how to protect themselves from online fraud and/or online identity theft, while a bit under half didn’t think they knew how to protect themselves. Taken with my own unscientific dabbling and MailFrontier’s recent survey which found that 28% of American adults “inaccurately identify phishing emails”, I’d say we have a problem. Or in fact several.

First off, many of those people who think they know how to protect themselves are easy prey. They are going to continue to be duped as phishing attacks grow more sophisticated. That’s going to keep the problem going, in part because of weak or misleading ‘solutions’ such as browser tools and software that supposedly ‘identifies’ fraudulent emails or links. These tools only raise people’s comfort levels and lower their guard.

The broader problem is this: As the number of victims rises, the number of people not giving confidential data over the Internet, not using Internet banking, and ‘not trusting the Internet’, is going to rise. This is already hurting retailers who have found major cost savings by shifting business over to the Internet. A piece yesterday by The Register’s John Leyden quotes a recent survey by LogicaCMG as saying that one in five British users would ”hesitate about booking trips online because of mistrust of the ability of travel companies to keep their financial and personal details secure”. Given it costs a travel agent 40 times more to take a booking by phone than online, this is hitting their bottom line hard. This will only get worse as more victims succumb, and phishing attacks are no longer one of the bad things that happen to other people.

Then there’s the banks. It’s been suggested to me that banks don’t really care about whether people use Internet banking, since if people start going back to their branches to do their business banks will make their money anyway. But, while appealing, that conspiracy theory fails to take into account the link between online commerce and online banking. If people don’t trust the Internet to do banking, it’s very unlikely they’ll buy something online. That will hit credit card business hard, a mainstay of retail banks. Like it or not, the fate of banks is inextricably tied to the fate of online retailing. So banks don’t have much choice.

Bottom line: The future of online commerce is not just about whether it’s viable for retailers to do some of their business online. For many retailers it is their business, or at least it’s the difference between being profitable or not. Phishing is not just an attack on banking and financial sites. It’s an attack on the future of online commerce, which, believe it or not, is still vulnerable because it relies on trust. And trust is not just about reassuring customers, or launching vague ‘education campaigns’ to give people a vague idea about whether they’re safe, and what to do to make themselves safer. It’s about making transactions secure, policing website registries for fraudulent domains, working together for a better way to communicate between retailer/bank and customer. All of these things, a year after phishing took off, haven’t been done. Hence The Fear.

Is SPIM Another Non-Problem?

No. It is a real problem, if only because there’s still plenty of sleazy people figuring out new ways to ruin your day.

There’s some skepticism out there about this new spam threat: SPIM, in case you didn’t know, is spam that’s delivered, not to your inbox, but to your instant messaging chat program, like ICQ. Some folk say it’s a problem.  Yankee Group, according to a recent report, estimates that currently five to eight percent of all instant messages are spam generated by automated bots. Others are more skeptical. Greg Cher on thespamweblog points out that he’s “been on all three of the major IM’s for at least years and have never…ever had a problem with ‘spim’.”

I was skeptical too, until I today saw these programs being peddled via PRWeb: ”ICQPromoter is a powerful tool for sending messages to thousands of Online or Offline ICQ users. Audience can be targeted by specific interests, country, city, occupation, age, gender or language.” The company behind this, Nanosoft Inc. of Milpitas, California, also offer:

  • Admessenger (“a feature-rich direct advertising program designed to deliver your messages directly to upto 2 Billion Windows 2000, XP, and NT desktops…It is like showing Banner Advertisement with paying a single penny”)
  • Yahoo Answering Machine (“Serves as Perfect Advertising Machine and Advertisement Machine. You can send Message in Room after Predefined time. Send PM to all users in Current Chat Room.”)

You get the idea. These programs will basically spam large numbers of people using chat messengers, or Yahoo chat rooms, all of them automated. What would be amusing if it weren’t so dumb is the fact that Nanosoft prominently display their “zero-tolerance policy” towards Spam. “If you have found this website due to spam, please let us know,” they say. Presumably that doesn’t include using the products they sell?

On closer inspection, Nanosoft have some other rather sleazy products on display. How about this for size: Shadow Pooper [sic], which will, unknown to the user, “periodically open new browser (in fullscreen mode) and load your ad page.” And just in case that’s not intrusive enough for you, “it also can change users Homepage in browser to any URL you choose.” Helpfully, the blurb says “All you need, is to force user install your application on his PC. Use your imagination. Advertise your application as free xxx-dialer, internet booster, etc… You can even include it in installation pack with other free software.” So now we know how spyware works.

Then there’s the problem that Google have come across: The way that advertising via pay-per-click can be abused. Nanosoft offer this: the Traffic Blaster/ URL Generator which will “allow you to generate a massive amount of traffic to any website you wish. Affiliate sites, Banner Sites, Exit Exchanges, and the list goes on and on.” To be honest, I’m not clear from the blurb exactly how this works. Definitely worth a closer look though.

Ironically, these are the same guys selling Popup blockers, chat encrypters, privacy protecters and evidence eliminators. Which brings me back to an earlier post on the question: How can you buy software to protect your privacy from folk you don’t trust? (And I couldn’t help noticing that Nanosoft don’t really trust their customers. This message appears on their website: Because of the growing incidences of Internet fraud, we log everything and take it very seriously. All the fraudulent transactions will be reported to FBI’s Internet Fraud Complaint Center (IFCC).” Right.)

Ho, Ho, Ho, Tis The Season Of The Online Scam

Phishing — the art of depriving folk of their sensitive password data and then using it to empty their pockets — has become the scam du jour of the holiday season. The Anti-Phishing.org website says it has seen ‘dramatic’ growth in November and December of email spoofing (emails claiming to be from, for example, your bank) and general fraud activity. (Anti-Phishing is an industry group founded by Tumbleweed Communications, a builder of anti-spam software.) For example:

— More than 60 unique new phishing email fraud attacks have been launched against consumers in the last 2 weeks
— Over 60 million email fraud attacks are estimated to have been sent out in the same period – timed for the peak of the holiday season
— eBay customers were the most highly targeted by scammers, with 24 unique email fraud attacks over the past 60 days
— Online financial institutions, including banks, Visa and PayPal, represented the largest target group with 35 unique email fraud attacks reported over the past 60 days

It seems that phishing has been remarkably rewarding for the scammers involved. The Anti-Phishing Working Group reckons an average of 5% of recipients respond to such emails, resulting in financial losses, identity theft, and other fraudulent activity. And, perhaps worse, this “activity threatens the integrity of companies that do business online”. (I’m assuming they’re talking about banks, eBay and other folk who rely on ordinary folk to maintain their faith in the security of online commerce.)

There are a number of ingenious scams that play on the holiday theme — which also highlight that it’s not just banks and big-ticket items that the phishers are targeting. One example is a fake online Christmas card, designed to compromise AOL accounts. In this scam, the recipient receives a spoofed email from the “AOL Hallmark” team, and is asked to visit a website to pick up his/her card. In order to access the site (which is run by the scammer), the user is asked to log in to his or her AOL account, thereby divulging the account name and password. The compromised account can then be used, anti-Phishing says, to launch further phishing attacks, virus attacks, spam, or other nefarious activity.

Clearly this sort of thing is going to grow, becoming more sophisticated as users wise up to the scams. Recent emails now play upon the growing awareness of scams by claiming to be from your bank, warning you about such scams and telling you to ignore other emails. They then, of course, go on to tell to visit the legitimate website to confirm your password. (The main component of this trick is that 90% of the email is genuine, in that the images are all from the bank’s website, and if you hover your mouse over the link you’re being asked to visit, it may well look genuine too. What you’re actually seeing, is a clever ruse: the real website is buried at the end of the link, hidden after a lot of empty space. So checking that sort of thing is no longer enough. It should go without saying that you shouldn’t react to any email that requires you to do anything with your password. For a good resource on such scams, check out Codefish.)

In the end all this will help educate users about the Internet and improving their own security. I don’t see it doing any serious damage to online commerce, at least in terms of undermining public confidence. I do believe, however, that we’ve seen only the tip of the iceberg in terms of the sophistication of scammers, and banks and other online institutions must improve their awareness of the threat, as well as protect and educate their customers.

Have a phishing-free Christmas.